About SARowe_NZ

Hi, It's a constant pain with Palo and I can't believe they still don't have a solution to provide automated gateway redundancy but that is the reality (unless you have A/A firewalls which almost no one can do).   In your scenario you only need the IP on the interface on the second firewall if that firewall needs to route over that interface under BAU. If it does not, you can simply have the interface with the real IP on your primary firewall and no IP on the secondary firewall, then create it on the secondary firewall in a failover scenario. If dealing with multiple interfaces you can script it to create/move the IP a little faster.   Another way I've dealt with this (when using more upstream or downstream routers is not an option) is to create all your required interfaces in a second VRF on the second firewall, all with the real IP address. If you have a failure, just enable routing between the VRFs to "liven up" all the interfaces that are usually offline. This could be static if your subnetting allows for a single route in each direction, or you could use a dynamic protocol and just have it disabled under BAU. This works really well for DR / BCP environments or when dealing with a lot of interfaces that would make manually moving IPs very tedious.   Not saying it's a solution - just another way of working around the lack of functionality... ... View more

As a test, or if you completely trust this particular website, you could also exclude it from decryption; but I always prefer to resolve it properly and allow the firewall to decrypt and inspect the traffic for threats instead of just excluding decryption and blinding trusting it. ... View more

Hi, The error states this has come from the client and means that the client does not trust the issue URL. Palo has pulled out the originating CA Cert for you but the issue is most likely you are doing decryption and the client does not trust your decryption cert. This is either because: 1) it does not have the decryption cert chain installed and/or trusted 2) the browser is not using the machine trust store (e.g. firefox) and maintains its own trust store that will need the cert chain adding   We also see this when the traffic is from inside an application that does not use the machine trust store, or is doing cert pinning but you state your issue is with browsing so probably not that.   Cheers, Shannon ... View more

Hey yes - device certs were all good and logs were being successfully sent to CDL, and retrieved from CDL by Panorama. ... View more

Hey - thanks for the response. I think this is resolved (has proved stable a couple of days now). What seemed to jiggle it lose was enable the free version of AI Ops on the firewalls. Not sure how that is related, or even if that is just a coincidence. ... View more